Concept

Key2Share is a generic access control system that allows users to maintain their access rights for different resources on their mobile device. The system is applicable in various application scenarios, ranging from access control solutions to digital objects, such as electronic documents, to physical resources like enterprise facilities, hotel rooms, safe boxes and cars.

In Key2Share system, access control rights are managed by a central authority, or an issuer. Access rights are issued to regular users in a form of electronic keys (eKeys) which are stored in user’s mobile devices. eKeys grant the users access rights to different resources. One of the key features of Key2Share is the ability of users to share their access rights with other users without contacting the issuer.

Key2Share system architecture is depicted in Figure 1. It includes the following entities: The issuer, users, delegated users and resources. As a first step, the issuer recruits users to the system (step 1). Depending on the application scenario, this step can be represented by employment of the employees by the enterprise, or by selling the car to the customer by the car manufacturer. Next, the users have to register to the web-service managed by the issuer (step 2). When registered, they can download electronic keys (eKeys) issued by the Issuer from the web-server and store them in their mobile device (step 3). eKeys allow the users to get access to the resources. For instance, they unlock the doors of offices or disable car immobilizers (step 4). Further, access rights granted by eKeys can be shared with other users (step 5) which we call delegated users. Delegated users do not have to be pre-registered with the issuer’s web-service, but could be just temporary guests of the enterprise or family members/friends of car owners. Delegated users can access (a subset of) resources available to users with shared eKeys (step 6).

eKeys are a subject for access control policies which can limit the scope of the access rights based on usage context. For instance, eKeys can be defined as shareable/non-shareable, define time constraints (e.g., be valid only during working hours), or allow access only for limited number of times.

Key2Share employs secure cryptographic protocols for secure distribution and management of access control tokens, as well as a security framework for their protection on a smartphone from unauthorized access.